Erazer Lite

 

1.Summary

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

2.Aliases

  • Backdoor.Eraser.Web

3.Characteristics

Erazer Lite is a Remote Access Trojan consisting of a server component, client component and a server editor component.

The characteristics of this Trojan with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

A.Server Component:

When the server component is executed, the Trojan drops itself to:

  • %system%\msiecfg.exe

The following registry entry is created, so it can run at system startup:

  •  Hkey_Current_User\Software\EZ "0"
     Data: C:\Windows\System32\msiecfg.exe
  • Hkey_Current_User\Software\Microsoft\
    Windows\CurrentVersion\Run "iexplorer"
     Data: C:\Windows\System32\msiecfg.exe

Once running, the server component connects to a pre-defined IP address on a pre-defined port, waiting for commands from the attacker

 

Note: %System% is a variable location and refers to the windows system directory.

B.Client Component:

The client component runs on the attacker抯 computer, and connects to the server component on the victim抯 machine remotely.

 The following are a list of some of the functions that are available to the attacker:

 

  • Process Manager (List, kill running processes)
  • File Manager (List, upload, download, delete)
  • Registry Manager (Browse Registry, add, edit, delete keys)
  • Windows Manager (Browse, close, maximize/minimize, rename)
  • Get system information
  • Extract passwords from machine
  • Key logger
  • Read/Modify contents of the clipboard
  • Screen capture
  • Pranks played on the victim (Hiding desktop icons, start button, taskbar, opening and closing CD-Rom)
  • Desktop logoff, reboot or shutdown
  • FTP-server, Telnet-Server
  • Format drives

 

C.Miscellaneous Information:

  • This Trojan is written in Delphi
  • The author抯 intended name for the Trojan is 揈razer Lite

4.  Detects Trojan

The communication between client and server of Trojan is usually with TCP, UDP and ICMP protocol. Sax2 from Ax3soft is based on the analysis of protocol and can accurate tracking network connecting conversation and reorganize the TCP / IP data of the communication. When it detect that your network in the risk of Trojans, it will immediately suspended or interference with communications of Trojan to protect your network from attack. Why not have a try? Sax2 will immediately upgrade it’s Security Strategy Knowledge Base after finished installation. Below will introduce how to use Sax2 to detect whether your system has infected of the Trojan - Erazer Lite.

First of all, launch and run Sax2, switch to "EVENTS" pages. If there is Erazer Lite  communication in your network, Sax2 will immediately report and interrupt Trojan communications. See the picture: